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Introduction 


Lack  of  security  and  privacy  are  two  very 
common  problems  facing  those  involved  with 
computers  today.  Many  people  in  the  computer 
business  are  simply  not  aware  of  or  are 
apathetic  to  ADP  (automated  data  processing) 
security  and  privacy  matters. 

Loss  of  security  and  privacy  is,  however,  a 
very  real  threat  in  today's  highly  automated 
world.  Without  strict  security  and  privacy 
regulations,  data  could  be  lost,  stolen,  or 
manipulated.  Since  much  modern  data  are 
beginning  to  be  stored  in  ADP  systems,  misuse, 
mismanagement,  or  just  plain  carelessness  could 
result  in  major  problems  for  a  great  number  of 
people. 

Some  security  can  be  built  into  ADP  hardware 
and  software  during  the  developmental  phase, 
but,  at  the  present  time,  no  system  is 
completely  secure.  It  is  the  responsibility  of 
computer  users/custodians  to  maintain  a  high,,.* 
level  of  security  and  privacy  for  all  computer 
files. 
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Because  of  the  obvious  lack  of  awareness 
concerning  security  and  privacy,  the  following 
questions  need  to  be  answered: 

1.  What  do  the  terms  "security"  and 
"privacy"  mean  when  used  in  connection 
with  ADP  hardware  and  software? 

2.  What  happens  when  there  is  a  lack  of 
security?  of  privacy? 

What  are  some  of  the  causes  of  this  lack 
of  security  and  privacy? 

4.  Who  has  the  ultimate  responsibility  for 
maintaining  security  and  determining 
privacy  requirements? 

5.  What  are  some  of  the  possible  solutions 
for  these  problems? 
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Security— What  Is  It? 

According  to  Webster  security  is  a  state  of 
being  or  reeling  secure:  freedom  from  fear 
anxietv  danger,  doubt,  etc.  it  is  also  a  state*  or 
sense  of  safety  or  certainty. 

How  Does  Security  Relate  to  ADP  Systems? 

in  order  to  have  a  secure  ADP  system  only 
those*  with  a  need-to-knovv  should  have  access 
to  data  ''ecuritv  also  means  that  data  in  ADP 
systems  should  bo  correct  and  their  integrity 
intact.  In  other  words  security  refers  to  the 
protection  ot  resources  from  damage  and  the* 
protection  of  data  against  accidental  or 
intentional  disclosure  or  unauthorized 
modification  or  destruction. 

What  Are  ADP  Systems? 

Automated  data  processing  systems  arc* 
primarily,  but  not  solely,  computers.  An  ADP 
svsteni  is  essentially  made*  up  of  six  elements 
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Why  Is  Security  Such  a  Problem? 

security  in  ADP  systems  is  becoming  a 
problem  in  direc  t  proportion  t<>  the  m<  rrase  m 
the  number  of  computer  svstems  becoming 
available.  One  major  reason  i  nmpulers  u«  e 
security  problems  is  because  thev  arr  located  m 
a  hostile  environment  such  vulnerability  stems 
from  the  following  factors 
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The  security  aspects  of  ADP  systems  can  be 
defined  as: 

1.  Large  scale  data  bases  containing  sensitive 
information, 

2.  Remote  access  considerations, 

V  Constant  growth  in  numbers  of  users,  and 

4.  Increase  in  numbers  of  personnel  with 
technical  knowledge  required  to  access 
computer  systems. 

Why  Are  Security  Problems  on  the  Rise? 

In  today's  complex  worJri,  there  js  an 
increased  dependency  upon  computer  systems 
for  critical  and  sensitive  applications. 

Dependency  also  stems  from  a  lack  of  manual 
back  up  systems  and  inadequate  tontingency 
planning. 

Although  there  is  an  increased  dependency 
upon  computers,  there  has  been  apathy  or  a 
lack  of  awareness  concerning  security  because 
ot  work  exigencies.  Then'  is  also  the  matter  of 
limited  resource's  *hat  require  careful 
consideration  ot  pu-eities. 

In  other  words  because  ot  the  groat  demand 
for  last,  efficient  computer  services,  security  has 


not  been  completely  and  competently 
maintained. 

Are  There  Any  Other  Security  Problems? 


In  addition  to  the  vulnerabilities  produced  as 
a  by-product  of  the  computer  industry  growth, 
there  are  certain  very  real  threats  to  security 
including: 

1.  Natural  hazards 

•  Fire. 

•  Flood. 

•  Severe  storm, 

•  Failure  of  electrical  power  (e  g.,  air 
conditioning), 

•  Communications  failure,  and 

•  System  failure. 

2.  Accidental  errors,  omissions,  or  failures 

•  User  errors, 

•  Operator  errors, 

•  Data  preparation  errors, 

•  Application  program  errors, 

•  Output  errors 

•  System  errors. 

•  Communication  errors,  and 

•  Inadvertent  release  of  sensitive 
information. 
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What  Can  Be  Done  About  Such  Threats? 


!t  would  be  difficult.  if  not  impossible*,  to 
pievent  natural  hazards.  However,  accidental 
cm  iK  omissions,  or  failures,  and  deliberate 
i  <  minuter  abuses  are  problems  that  can  be  kept 
to  a  minimum  with  proper  maintenance  and 
surveillance  Although  security  should  be  built 
nto  a  s\  stent  no  system  can  be  reallv  secure 
unless  the  user  makes  it  sec  lire*,  lo  put  this 
another  was  no  matter  how  main  security 
gadgets  are  ipeef  a  sc<  ure  system  is  no  better 
than  tlie  person  using  it  Set  untv  must  Ire  a 
pi»rsonal  matter  with  everv  computer  operator 
and  ns**r  if i  or.J»»r  pi  have  a  significant  impact 


Who  Is  Actually  Responsible  for  Security? 


It  is  the  responsibility  of  the  system  designers 
and  manufacturers  to  build  security  into  an  ADI* 
system.  Users  have  the  responsibility  to  maintain 
a  careful  watch  on  their  security  practices. 
Management  is  also  responsible  since  they 
should  set  up  security  requirements  and 
regulations  for  their  employees.  In  addition,  the 
vendors  and  users  should  work  together  to 
cietc»rmine  w  ho  is  responsible  for  what 
computer  security  function. 

It  should  be  kept  in  mind,  though  that  when 
a  security  system  is  being  set  up,  requirements 
and  regulations  should  be  easily  understood  and 
workable  Too  much  restriction  and  too  much 
regulation  are  as  bad  as  too  little  of  either  one. 
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What  Roles  Do  Management  and  Users 
Play  in  Security  Problems? 


In  most  cases,  management  plays  a  key  role 
in  the  problems  associated  with  security.  In 
general,  most  managers  are  mission-oriented. 
They  are  more  concerned  with  the  ultimate 
product  than  with  the  production  process. 
Management  has  recently  become  more  aware 
of  the  critical  problems  associated  with 
computer  security  and  they  are  taking  strong 
measures  to  resolve  those  problems. 

Individual  users  also  have  problems  with 
security.  There  seems  to  be  a  lack  of  concern 
with  regard  to  system  security.  The  user  has  a 
tendency  to  view  a  computer  as  just  another 
inanimate  object,  and  yet,  this  inanimate  object 
still  presents  a  challenge  to  him.  In  most  cases, 
a  user  will  not  consider  computer  abuse  (on  a 
small  scale)  a  crime.  Computer  system  users  can 
also  be  lax  about  reporting  known  security 
violations  because  they  don  t  realize  that  it  can 
jeopardize  their  own  security. 


There  is  also  another  problem  regarding  user 
security.  Many  computer  users  feel  that  the 
classification  of  data  is  the  responsibility  of 
those  involved  with  computer  operation  rather 
than  that  of  computer  users.  In  fact, 
classification  rests  in  the  hands  of  subject  matter 
specialists,  not  computer  operations  people. 

Today's  computer  world  is  marked  by  rapid 
growth  and  extension  of  applications,  continued 
growth  in  the  numbers  of  systems  (especially 
mini-  and  micro-computers),  and  large  increases 
in  the  numbers  of  people  involved  in  data 
processing.  In  such  an  environment. 
management  $  lack  of  involvement  and  users' 
apathy  serve  only  to  compound  the  ADP 
security  problem. 
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Privacy— What  Is  It? 

Webster  defines  privaev  as  the  quality  or 
condition  of  being  private;  withdrawal  from 
public  view  or  companv;  seclusion:  secrecy.  It 
i  an  also  be  one’s  private  of  personal  affairs. 

How  Does  Privacy  Relate  to  ADP 
Systems? 

first  »>f  a'!  one  must  realize  the  amount  ot 
M%n>iit\e  personal  data  that  is  stored  in  todav's 
computers  A  pe’M.ns  untire  historv  is  recorded 
nDuP.Mg  financial  Pat,),  medical  records,  military 
n!es  and  so  ‘t.eh  An  ADP  system  becomes  a 
Morehouse  i*  .  aluable  but  ir.  mans  cases,  very 
pedate  inf  ruation.  Priv.u  \  th‘Mi  rule**"  to  the' 
r:i’fits  < a  ’duals  and  organizations  to 
determine  '<  .r  themselves  when  how  ancJ  fo 
what  evferif  information  about  them  is  |o  In* 
transmitted  to  otheis  Privacy  is  an  issue  that 
goes  tar  beyond  mniptilcr  centers  and  <  an  be 
'bought  of  as  a  people  problem  since*  people, 
ni  it  mac  hines.  affet  t  if 


Who  Could  Gain  from  Use  of  Personal 
Data? 


A  person  who  gained  access  to  data  file's 
without  a  need-to-know  could  cause  manv 
problems,  not  only  tor  the  private*  citizen  hut  tc 
others  as  well.  He  or  she*  could,  tor  example* 

1  Manipulate  data 
Modify  falsity  data 

b  A<  quire  proprietary  information  and 
programs 

4.  Alter  stored  programs 
m  Change  master  tiles, 
n.  Ac c  ess  passwords  algorithms  cm 
Denv  authou/ed  at c  ess. 

In  oilier  words,  someone  could  deiiheratoh 
abuse  computer  tile's  to  altect  many  aspects  ot 
person  s  life*  scr<  h  as  his  c  redit  rating, 
employment  records  t»ven  his  community 
standing. 


Has  Anything  Been  Done  to  Prevent  Such 
Acts? 


Congress  passed  the  Privacy  Act  of  1974'' 
whic  h  sets  up  certain  guidelines  regarding 
privacy  and  data  stored  in  computers  and 
manual  files.  In  essence.  Congress  recognized 
that  a  person  does  have  a  right  to  privacy, 
including  privacy  with  regard  to  personal  files. 
However,  there  are  instances  when  such  files 
would  be  made  available  to  authorized  persons 
upon  request. 

What  Are  the  Custodian's  Responsibilities 
Concerning  Privacy? 

fhe  custodian  has  a  responsibility  to 
determine  information  necessary  when  a 
request  has  been  received  for  file  information. 
The  accuracy  standards  should  also  he 
determined,  along  with  identification  of 
protection  requirements,  and  the*  establishment 
ot  the  sensitivity  of  requested  information. 


The  custodian  should  also  determine  how  the 
use  of  the  information  requested  could 
adversely  affect  the  particular  individual 
involved.  He  can  do  this  by  considering  the 
following  criteria: 

1.  What  is  adverse? 

2.  What  data  are  vital? 

-V  VVhat  should  be  done  if  vital  information 
is  in  error? 

4.  What  should  be  done  if  vital  information 
is  disputed? 

5.  What  should  be  done  if  vital  information 
is  missing? 

6.  How  much  impact  will  an  error  correction 
have  on  a  system? 

A  determination  should  also  be  made  as  to 
the  '  need-to-know 


Summary  of  A  DP  Security/Privacy 
Problems 


What  Can  Be  Done? 
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The  typical  problem  areas  with  regard  to 
computer  security  are  as  follows: 

1.  Insufficient  emphasis  on  computer 
security  (i.e.,  inadequate  security 
planning,  contingency  planning), 

2.  lack  of  vulnerability  threat  risk 
assessment, 

V  lack  ot  management  involvement  in 
computer  security  issues,  and 

A.  Lack  of  protection  against  natural 
disasters. 

C  omputer  privacy  problems  include: 

1.  Manipulation  of  data  (modification  or 
falsification). 

2.  Acquisition  of  proprietary  information 
without  a  "need-to-know.”  and 
Unauthorized  acquisition  of 

f  >a  ssvv  ords  a  I  gon  t  hms. 


Security  and  privacy  are  two  very  important 
facets  that  a  society,  which  is  fast  becoming 
automated,  has  to  take  into  account.  Although 
many  things  contribute  to  a  lack  or  Joss  of 
security  and  privacy,  the  mam  ingredients  in 
any  security  or  privacy  problem  are  the  people 
involved  with  the  systems.  To  most  people, 
security’  and  "privacy”  are  nebulous  terms,  and 
rather  than  learn  all  the  rules  and  regulations 
concerning  them,  they  choose  to  be  apathetic. 
In  order  for  society  to  have  an  effective  and 
efficient  computerized  network,  not  only  the 
systems  themselves,  but  also  all  of  the  people 
involved  with  them,  must  be  geared”  toward 
maintaining  security  and  privacy.  Security'  and 
privacy  measures  cannot  be  looked  upon  as 
unimportant  or  not  pertinent,  but  must  become 
an  integral  part  of  the  computer  environment. 


Hits  booklet  was  prepared  by  the  Computer  Sciences 
Department  to  promote  awareness  of  computer 
security  and  privacv  problems. 

I  he  (  omputer  sciences  Department  wishes  to 
acknowledge  the  (excellent  response  and  assistance* 
provided  bv  Mr.  J  Bonas.  Graphics  Branch,  and  Mr  W. 

I  (  onforti.  technical  Writing  Branch,  in  planning  this 
publication.  Appreciation  is  also  extended  to  Mr.  I).  W. 

1  itton.  Graphics  Branch,  tor  conceiving  and  preparing 
the*  artwork:  to  Ms.  P  A  Ellis.  Technical  Writing 
Branch,  tor  coordinating  and  writing  the  booklet:  and 
to  Mr.  j.  I.  Neville.  )r..  Programming  and  Computer 
Operations  Branch,  tor  his  ideas  and  guidance. 

Questions  and  comments  concerning  the  contents  ot 
this  booklet  should  be  directed  to  Mr.  J.  R.  Babiec 
{Code  44  \). 
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